As banks face an end-of-year deadline to strengthen online authentication, one company believes it holds the right card to customer security--a one-time-password.

Los Angeles-based Innovative Card Technologies, or InCard, has found a way to build a display, battery and password-generating chip into a card, such as a credit card. The technology competes with tokens, such as those sold by RSA Security, Vasco and VeriSign.

"We took a form factor that was awkward and fat and miniaturized it," Alan Finkelstein, InCard's chief executive officer, said in an interview. "The current tokens are clumsy and can only do one thing well, issue the one-time password. Our card can be your credit card, your employee ID card and give you access to buildings."

Just like the tokens, the card, called a DisplayCard, generates passwords that can be used to validate online logins or transactions, for example when banking online. The cards offer an extra level of security, in addition to the traditional login name and password. Some banks, such as online broker ETrade Financial, have provided high-net customers with tokens for some time.

It took InCard four years to develop the card, Finkelstein said. The company combined technology from a Taiwanese display maker, a U.S. battery manufacturer and a French security team, he said. A Swiss partner, NagraID, owns the rights to the process to combine the pieces and actually manufacture the technical innards of the card.

The biggest development challenges were the ability to bend the card, power consumption and thickness, Finkelstein said. The result is a card that's as thin and flexible as a regular credit card and is guaranteed to work for three years and 16,000 uses. "Which is about 15 times a day, seven days a week," Finkelstein said.

One card, two chips In the near future, InCard plans to present a card that has two chips, both inside the card. One will generate the password and the other will store personal information, such as details on the last transaction or balance information, he said.

InCard is in talks with various banks and credit card organizations around the globe to get its invention into the market, but it can't announce any deals yet. Visa, however, has already agreed to evangelize the technology to its banks, Finkelstein said.

InCard is well-connected in the banking world. Chairman John Ward previously served as CEO of American Express Bank and held senior positions at Chase Manhattan Bank.

One possible barrier to InCard's success is the price of its card. A credit card with a one-time password generator costs just over $10, much more than the approximately 40 cents it costs to produce a plain card and $5 for a traditional password-generating key fob.

However, InCard says it believes it can overcome that obstacle. Sealing, addressing and mailing a token adds about $5 in cost, according to Finkelstein. "Banks know how to deploy cards in mass numbers...if you combine everything, we're pretty much compatible in cost."

U.S. banks haven't in the past been prepared to pay for tokens and distribute the security gadgets among their customers. The FFIEC recommendation might change that, though there are several options beyond one-time passwords that meet its two-factor authentication definition.

InCard closely controls the rights to produce the one-time-password cards. The card is ready for mass production, according to the company, which plans to license the technology to other players so more cards can be manufactured when needed, Finkelstein said.

About a year and a half from now, InCard expects 5 million of its cards to be in use. The company predicts banks and brokerage firms will hand them out to their best customers.

Report offensive content:

If you believe this comment is offensive or violates the CNET's Site Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

E-mail this comment to a friend.

E-mail this to:

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.